Tech Made Simple

Hot Topics: Apple iPhone 6 | Top Pick: Best Portable Bluetooth Speaker | Kitchen Appliances & Gadgets | What's Draining Your Android Battery?

Techlicious Blog

author photo

Heartbleed Security Bug May be Worst Ever

by on April 08, 2014
in Computer Safety & Support, News, Computers and Software, Blog, Privacy :: 9 comments

Heartbleed bug graphicOn Monday, researchers began sounding the alarm about Heartbleed (CVE-2014-0160), a newly discovered encryption vulnerability that seriously undermines the underlying security of an estimated five hundred thousand websites, including many of the Internet's most popular, such as Yahoo, Flickr and OkCupid. Hackers exploiting the threat could conceivably steal login information, credit card numbers and any other highly sensitive data being sent between your browser and the affected sites.

However, what's not clear, and probably never will be, is which sites were actually subject to malicious activities and what data was stolen. Nor is easy for the average Internet user to determine which sites were even vulnerable in the first place. This puts us in the unfortunate position of recommending that you change all of your passwords for every website, but that you only do it for a given site once it's gotten a security upgrade to prevent future snooping.

Sounds like a massive, complicated undertaking? It is. But that is a reflection of how serious this threat is.

Unfortunately, not all the information about Heartbleed has been easy to read or understand, even for seasoned Internet veterans. Let’s take a closer look at Heartbleed, minus the heavy technical jargon, so you can get a better sense for what happened.

What is Heartbleed?

An incredibly large number of websites, email servers and virtual private networks (VPNs) use security software called OpenSSL to shield communications between your computer and their servers. When you log in to Yahoo, for example, OpenSSL prevents an attacker from intercepting the transmitted data to capture your login and password. The OpenSSL software library is a major part of what keeps much of the world’s private data safe across the web — it's the heart of online security, if you will.

Heartbleed is a major security hole in multiple versions of OpenSSL resulting in temporary information being stored in a site's server memory after it has been unencrypted. That server memory can be read by anyone on the Internet. The bug lets attackers sneak a peek at your login credentials and also can give them the encryption key they need to unlock any other sensitive information being stored and transmitted. It can even give hackers the ability to impersonate websites in the future using those stolen encryption keys.

If you have a pretty strong understanding of computing technology, full details about the Heartbleed bug are available at heartbleed.com.

How can I stay protected?

The good news is that there is no evidence that hackers have used the Heartbleed exploit to steal data. That's not to say an attack hasn't happened, just that it would be very difficult to determine if one did. But you can bet the attacks will start ramping up now that the exploit is widely known.

Unfortunately, even the best anti-virus software won’t protect against Heartbleed. The only way to stay safe—for now—is to avoid sites that have yet to patch the OpenSSL Heartbleed bug. Hopefully, the browser developers will quickly create a feature that will flag you when visiting a site that is still vulnerable.

Once a site has been fixed, you should change your password as soon as possible. A password management program will help you create and manage unique passwords for every site.

How do I know what sites are still affected?

Many major companies (including Yahoo) have already fixed the exploit on their end, but there are still plenty of vulnerable sites out there. Techlicious recommends you use the Heartbleed Test website to check if your favorite sites or servers are still at risk. If they are, stay clear of entering sensitive information until they get the OK. And then, change your password. And for sites like Yahoo, that are known to have been on the danger list, change those passwords as well.

Techlicious.com is one of the sites still on the vulnerable list. But since we don't have logins for most users, there is little need for concern. However, this does impact our staff logins and we are working to quickly resolve the issue. [UPDATE 4/9/14: The Techlicious server has been patched and is no longer vulnerable]

Have questions?

Ask in the comments below and we'll do our best to answer them based on the latest information.

Subscribe to the Techlicious Daily Email!

Get the Techlicious Guide to Great Photography as your FREE gift!

Discussion loading

Best Tablet

From Karen Ackley Briggs on April 09, 2014 :: 3:23 pm

What is the best inexspensive tablet on the market today?

Reply

avatar

Did you mean to post this here?

From Josh Kirschner on April 09, 2014 :: 5:50 pm

Can you re-ask the question on our Best Small Tablet story: http://www.techlicious.com/review/best-small-tablet-october-2013/?

Reply

gravatar

how to use heartbleed

From Shay Schual-Berke on April 09, 2014 :: 4:20 pm

I’m not sure what the hostname is for the sites I visit, and everything I have tried eg. nytimes.com, http://www.nytimes.com etc don’t work.  How do I know what the hostname is?

Reply

avatar

That may be a good thing

From Josh Kirschner on April 09, 2014 :: 6:03 pm

According to the FAQ of the testing site, errors like the one you get for the NY Times are “probably counter-measures, firewalls and IPS closing the connection or sink-holing it when they detect a heartbeat.” In other words, the site may be blocking access to these memory probes. See: http://filippo.io/Heartbleed/faq.html#wentwrong.

Most sites URLs I’m checking, though, still work fine with the tool.

Reply

gravatar

Password via FB Login

From eileen on April 16, 2014 :: 10:41 am

At least one site that I logon to via Facebook has told me to change my password.  I asked, and they could not answer, if I need to change my FB password because it is now vulnerable or if it’s safe because it’s an indirect login.

Can you tell me?  Is my FB pw safe?

Reply

avatar

Probably safe

From Josh Kirschner on April 16, 2014 :: 11:10 am

The answer is that your Facebook password is most likely safe. There is the possibility that someone could have hacked the key you were using to communicate with FB through the site and use that to impersonate you to Facebook, but I would describe that likelihood as very remote.

Reply

gravatar

Good Answer!

From Eileen on April 16, 2014 :: 2:21 pm

Thank you Josh!  That’s what I was hoping to hear.  I figured that for them to access FB via the other site was remote and not automatically built into heartbleed.  I appreciate your complete answer.

Reply

gravatar

Is every site safe now?

From Maryan Pelland on April 16, 2014 :: 2:16 pm

I don’t know…I put a poop load of urls into your recommended tool and all came up as safe, though I read that Google is a problem (and I tested Google…no problem found).

I worry about Amazon and Paypal…what do you think?
And what sites are known to be at issue?

Reply

avatar

No, definitely not all safe

From Josh Kirschner on April 16, 2014 :: 2:40 pm

While most of the major sites were fixed very quickly, we’re still seeing smaller ones with issues. And this is a big concern for anyone who shares passwords between sites or who is using smaller sites to make purchases with credit card information.


If you want to test heartbleed tools to see if they’re working, use http://www.wisegeek.com, which is still vulnerable as of today (not very wise, I guess).

Reply

© 2014 Techlicious LLC. :: Home | About | Meet the Team | Sponsorship Opportunities | Newsletter Archive | Contact Us :: Terms of Use | Privacy Policy

site design: Juxtaprose